{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2020-37090","assignerOrgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","state":"PUBLISHED","assignerShortName":"VulnCheck","dateReserved":"2026-02-01T13:16:06.487Z","datePublished":"2026-02-03T22:01:50.949Z","dateUpdated":"2026-03-05T01:27:52.183Z"},"containers":{"cna":{"providerMetadata":{"orgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","shortName":"VulnCheck","dateUpdated":"2026-03-05T01:27:52.183Z"},"datePublic":"2020-04-28T00:00:00.000Z","title":"School ERP Pro 1.0 - Remote Code Execution","descriptions":[{"lang":"en","value":"School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messaging system. Attackers can upload malicious PHP scripts through the message attachment feature, enabling remote code execution on the server."}],"problemTypes":[{"descriptions":[{"lang":"en","description":"Unrestricted Upload of File with Dangerous Type","cweId":"CWE-434","type":"CWE"}]}],"affected":[{"vendor":"Arox","product":"School ERP Pro","versions":[{"version":"1.0","status":"affected"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:arox:school_erp_pro:1.0:*:*:*:*:*:*:*"}]}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.7,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"LOW","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS"},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"references":[{"url":"https://www.exploit-db.com/exploits/48392","name":"ExploitDB-48392","tags":["exploit"]},{"url":"https://web.archive.org/web/20200129123503/http://arox.in/","name":"Archived Vendor Homepage","tags":["product"]},{"url":"https://web.archive.org/web/20190612111732/https://sourceforge.net/projects/school-erp-ultimate/","name":"Archived SourceForge Product Page","tags":["product"]},{"name":"VulnCheck Advisory: School ERP Pro 1.0 - Remote Code Execution","tags":["third-party-advisory"],"url":"https://www.vulncheck.com/advisories/school-erp-pro-remote-code-execution"}],"credits":[{"lang":"en","value":"Besim ALTINOK","type":"finder"}],"x_generator":{"engine":"vulncheck"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-02-04T20:09:29.545935Z","id":"CVE-2020-37090","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-04T20:09:51.872Z"}}]}}